Android Reverse-android base reverse (2-2)

[toc]
# 0x00 Foreword
## 不 知道 Therefore naturally, please see
Android reverse-Android basic reverse (1)
Android reverse-Android basic reverse (2)
## And java series:
Android reverse-java code foundation (1)
Android reverse-java code foundation (2)
Android reverse-java code foundation (3)
Android reverse-java code foundation (4)
Android reverse-java code foundation (5)
Android reverse-java code foundation (6)
Android reverse-java code foundation (7)
Android reverse-java code foundation (8)
Due to the length of the pseudo-encryption part of the previous Android Reverse-Android Basic Reverse (2), the other content was not completed, so the Android Reverse-Android Basic Reverse (2-2) is here. I hope that you can complete the content of the plan.
##Learning Content
(1) APK file pseudo encryption√
(2) Anti-decompilation of resource files
(3) apk packaging process
(4) apk decompilation process
(5) apk back compilation process,
# 0x01 Anti-decompilation of resource files
I said before that you can prevent a certain degree of decompilation by changing the fourth field. So in addition to this pseudo-encryption, what other ways can prevent the emergence of this kind of pseudo-encryption?
Let's see how resource files prevent decompilation.
Naturally we need to study the format of the xml file. The fourth brother had already analyzed in 2016, but that was analyzed by others, and it was impossible to learn more about it only by others. The paper must come to an end, and never know what to do. so, this is it.
## 1. The first module

Here is an example analysis. Let's use the simple apk in Android Reverse-Android Basic Reverse (1).
### 1.1 Magic Number

Here the magic number is 00 08 00 03, this is a fixed value.
### 1.2File Size
This is used to confirm the file size.

Here is 00 00 07 90, which is 1970 bytes.
### 1.3Analysis with Python
The fourth brother wrote in java, I will write an ugly python, and I still have any mistakes or bad things in the process of learning python.
This is the code that implements this module. But I feel that it is tedious to write, wait for a while to modify it appropriately.

At 11:57:35 on January 27, 2018, I was busy doing something else.

def fenxi(filename):
    try:
        f=open(filename,‘rb‘)
        print ‘start--------‘
        i=0
        p1=""
        p2=""
        p3=""
        p4=""
        p=""
        while True:
            t=f.read(1)
            t1=t.encode(‘hex‘)
            if i==0:
                p1=t1
            if i==1:
                p2=t1
            if i==2:
                p3=t1
            if i==3:
                p4=t1
            i=i+1
            if i<4:
                p=p+" "
            if i==4:
                break
            pass
        p=p4+" "+p3+" "+p2+" "+p1   
        print "Magic Number:",p
        i=0
        p1=""
        p2=""
        p3=""
        p4=""
        p=""
        while True:
            t=f.read(1)
            t1=t.encode(‘hex‘)
            if i==0:
                p1=t1
            if i==1:
                p2=t1
            if i==2:
                p3=t1
            if i==3:
                p4=t1
            i=i+1
            if i<4:
                p=p+" "
            if i==4:
                break
            pass
        p=p4+" "+p3+" "+p2+" "+p1   
        print "FileSize:",p
    except IOError:
        print "This is bad for input ‘",name,"‘." 
        print "You can enter -h for help." 

2. The second module

### 1.Chunk Type
String Chunk identifier, default is 00 08 00 03

2.Chunk Size
The size of the String Chunk.


3.String Count
The number of strings.

4.Style Count
Number of styles


5.Unknow


6.String Pool Offset
Header offset, which is the position of String Chunk.


7.Style Pool Offset
The style is offset, but because the style does not. So all here are 0

8.String Offsets
This is a string offset, and the size is String count * 4 bytes

9. Constant pool
This is the main place. But there is an empty string of 0 in the middle. Need to pay attention, and then use a loop to easily analyze it.
Post the code part here.

while True:
            t1=f.read(1)
            t2=f.read(1)
            tf1=t1.encode(‘hex‘)
            tf2=t2.encode(‘hex‘)
            p1=tf2+tf1
            ph=int(p1, 16)
            p3=""
            i=0
            while True:
                t=f.read(1)
                t1=t.encode(‘hex‘)
                p=int(t1, 16)
                p3=p3+chr(p)
                t=f.read(1)
                i=i+1
                if i==ph:
                    break
                pass
            print "first string:",p3
            t=f.read(2)
            if l==12:
                t=f.read(4)
            l=l+1
            if l==x-1:

                break

Running result display:


3. The third module Resourceld Chunk

This chunk mainly stores the resource Id corresponding to the system property value used in AndroidManifest

3.1 Chunk Type
Like other chunks, they all have eigenvalues. The eigenvalues of Resourceld Chunk are: 0x00080108

3.2 Chunk Size
There is nothing to explain about Size.

3.3 Resourcelds


Here you can find the corresponding string in frameworks \ base \ core \ res \ res \ values \ public.xml according to the id.
Here is a simple code module:

a=p/4-2
        i1=0
        while True:
            i=0
            p1=""
            p2=""
            p3=""
            p4=""
            p=""
            while True:
                t=f.read(1)
                t1=t.encode(‘hex‘)
                if i==0:
                    p1=t1
                if i==1:
                    p2=t1
                if i==2:
                    p3=t1
                if i==3:
                    p4=t1
                i=i+1
                if i==4:
                    break
                pass
            p=p4+p3+p2+p1   
            p5=p4+" "+p3+" "+p2+" "+p1
            p=int(p, 16)
            print "123id:",p,"bytes","hex:",p5
            i1=i1+1
            if i1==a:
                break 

4. The fourth module

This chunk mainly contains the contents of the command space in an AndroidManifest file

4.1 Chunk Type
The feature code is not emphasized here. The feature code is 00 10 01 00.

4.2 Chunk Size
Chunk size.

4.3 Line Number
Line number in AndroidManifest file

4.4Unknown
Unknown area, generally ffff

4.5 Prefix
Namespace prefix

4.6Uri
Urk of the namespace

5. The fifth module
This module is mainly used to store label information
It's going to be awkward here. When the fifth module was about to finish, suddenly the mouse's back button was pressed. I was wondering if it should be written locally, not in the cloud, which is so touching. sad. Ready to be lazy.

5.1 Chunk Type
Flag field, fixed character.
00 10 01 02

5.2 Chunk Size
Chunk size

5.3 Line Number
Number of lines, same as the previous paragraph

5.4 Unknown
Location area

5.5 Namespace Uri
The uri used for the label, but it may also return ff ff ff ff.
Code:

i=0
    p1=""
    p2=""
    p3=""
    p4=""
    p=""
    while True:
        t=f.read(1)
        t1=t.encode(‘hex‘)
        if i==0:
            p1=t1
        if i==1:
            p2=t1
        if i==2:
            p3=t1
        if i==3:
            p4=t1
        i=i+1
        if i==4:
            break
        pass
    p=p4+p3+p2+p1   
    p=int(p, 16)
    try :
        print "Namespace Uri:",list[p]      
    except IndexError:
        print "Namespace Uri is nothing"

5.6 name
Label name field

5.7 flags field
Flag whether to start or end flags

5.8 Attribute Count
Contains the number of attributes

5.9 Class Attribute
Class attributes included in the tag

5.10 Attributes
Property content. Including NamespaceUri, Name, ValueString, type, Data, these five fields.

6. The sixth module

This is the same as the fifth block.

7. The seventh module
Because it is the same as the previous module, it will not be explained here.

reward
## python
1.python right shift
2.python format conversion
3. Analysis of binary modules
4. This is the biggest receipt and got an xml file analysis tool.
5.github address: xml.py file analysis

Concluding remarks
I feel that there is a lot of content here, so I have to divide it into many small pieces. Why write xml analysis here, because the purpose of hardening is to prevent decompilation. Then we can perform targeted hardening for the decompiler software, which will be explained in detail in the next block.

Android Reverse-Android Basic Reverse (2-2)